npm - @setzkasten-cms/astro-admin - Versions diffs - 1.3.0 → 1.4.0 - Mend

@setzkasten-cms/astro-admin 1.3.0 → 1.4.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (2) hide show

package/package.json +7 -6
package/src/api-routes/icons-local.ts +169 -0

package/package.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
   "name": "@setzkasten-cms/astro-admin",
-  "version": "1.3.0",
+  "version": "1.4.0",
   "description": "Setzkasten Admin-UI, Init-Wizard und Adoptions-Pipeline für Astro",
   "type": "module",
   "license": "SEE LICENSE IN LICENSE",
@@ -37,6 +37,7 @@
     "./init-add-section": "./src/api-routes/init-add-section.ts",
     "./init-migrate": "./src/api-routes/init-migrate.ts",
     "./deploy-hook": "./src/api-routes/deploy-hook.ts",
+    "./icons-local": "./src/api-routes/icons-local.ts",
     "./catalog": "./src/api-routes/catalog-list.ts",
     "./catalog-add": "./src/api-routes/catalog-add.ts",
     "./catalog-export": "./src/api-routes/catalog-export.ts",
@@ -74,11 +75,11 @@
   },
   "dependencies": {
     "@astrojs/compiler": "^3.0.0",
-    "@setzkasten-cms/catalog": "1.3.0",
-    "@setzkasten-cms/auth": "1.3.0",
-    "@setzkasten-cms/core": "1.3.0",
-    "@setzkasten-cms/github-adapter": "1.3.0",
-    "@setzkasten-cms/ui": "1.3.0"
+    "@setzkasten-cms/auth": "1.4.0",
+    "@setzkasten-cms/catalog": "1.4.0",
+    "@setzkasten-cms/core": "1.4.0",
+    "@setzkasten-cms/ui": "1.4.0",
+    "@setzkasten-cms/github-adapter": "1.4.0"
   },
   "peerDependencies": {
     "astro": "^5.0.0",

package/src/api-routes/icons-local.ts ADDED Viewed

@@ -0,0 +1,169 @@
+import type { APIRoute } from 'astro'
+import {
+  LOCAL_ICONS_DISCOVERY_PATHS,
+  resolveLocalIconsPaths,
+  sanitizeSvg,
+} from '@setzkasten-cms/core'
+import { resolveStorageConfigForRequest, prefixPath } from './_storage-config'
+import { resolveGitHubTokenForRequest } from './_github-token'
+/**
+ * GET /api/setzkasten/icons/local
+ *
+ * Lists `.svg` files from the website's local icons folder(s) so the admin
+ * picker can render them as a "Lokal" tab.
+ *
+ * Path resolution:
+ *  1. If `icons.localPath` is set in the website config, scan exactly the
+ *     listed folders (string or string[]). Whatever the user wrote wins.
+ *  2. Otherwise, scan `LOCAL_ICONS_DISCOVERY_PATHS` until a folder yields
+ *     at least one SVG. Lets projects with `public/icons/` or
+ *     `src/assets/svg/` work without touching their config — and surfaces
+ *     the discovered path so the admin can copy it into setzkasten.config.ts.
+ *
+ * Response:
+ *   {
+ *     icons: Array<{ name, svg, source }>,
+ *     paths: string[],            // paths that contributed icons
+ *     discovered: boolean,        // true when discovery fallback ran
+ *   }
+ *
+ * Each `svg` value is server-side sanitized.
+ */
+export const GET: APIRoute = async ({ request, cookies }) => {
+  if (!cookies.get('setzkasten_session')?.value) {
+    return new Response('Unauthorized', { status: 401 })
+  }
+  const tokenResult = await resolveGitHubTokenForRequest(request)
+  if (!tokenResult.ok) {
+    return new Response(tokenResult.error.message, { status: 500 })
+  }
+  const token = tokenResult.value
+  const storage = await resolveStorageConfigForRequest(request)
+  if (!storage) {
+    return Response.json({ error: 'Could not resolve owner/repo' }, { status: 400 })
+  }
+  const { owner, repo, branch, projectPrefix } = storage
+  const fullConfig = (globalThis as any).__SETZKASTEN_FULL_CONFIG__ as
+    | { icons?: { localPath?: string | readonly string[] } }
+    | undefined
+  const configured = resolveLocalIconsPaths(fullConfig?.icons ?? null)
+  const discovered = configured === null
+  const candidatePaths = configured ?? LOCAL_ICONS_DISCOVERY_PATHS
+  const headers = {
+    Authorization: `Bearer ${token}`,
+    Accept: 'application/vnd.github+json',
+    'X-GitHub-Api-Version': '2022-11-28',
+  }
+  // Scan paths in order. In configured mode, every path contributes —
+  // brand icons + product icons can happily coexist. In discovery mode,
+  // we stop after the first hit so we don't show e.g. raster assets in
+  // `public/icons` next to the real icons in `src/icons`.
+  const MAX_ICONS = 200
+  const yieldedPaths: string[] = []
+  type DirEntry = { name: string; type: 'file' | 'dir'; download_url?: string | null }
+  const allEntries: Array<{ path: string; entry: DirEntry }> = []
+  for (const relativePath of candidatePaths) {
+    if (allEntries.length >= MAX_ICONS) break
+    const path = prefixPath(relativePath, projectPrefix)
+    const listRes = await fetch(
+      `https://api.github.com/repos/${owner}/${repo}/contents/${path}?ref=${branch}`,
+      { headers },
+    )
+    if (listRes.status === 404) continue
+    if (!listRes.ok) continue
+    const json = await listRes.json().catch(() => null)
+    if (!Array.isArray(json)) continue
+    const svgs = (json as DirEntry[]).filter(
+      (e) => e.type === 'file' && e.name.toLowerCase().endsWith('.svg'),
+    )
+    if (svgs.length === 0) continue
+    yieldedPaths.push(relativePath)
+    const remaining = MAX_ICONS - allEntries.length
+    for (const entry of svgs.slice(0, remaining)) {
+      allEntries.push({ path: relativePath, entry })
+    }
+    if (discovered) break
+  }
+  // Bounded parallel fetch. Without this cap, hundreds of simultaneous
+  // requests against raw.githubusercontent.com carrying the user's token
+  // would burn rate limits on the first picker open.
+  const PARALLELISM = 8
+  type Entry = { path: string; entry: DirEntry }
+  type Result = { id: string; name: string; svg: string; source: string }
+  const results: Array<Result | null> = new Array(allEntries.length).fill(null)
+  let cursor = 0
+  async function worker() {
+    while (true) {
+      const idx = cursor++
+      if (idx >= allEntries.length) return
+      const { path, entry } = allEntries[idx]!
+      results[idx] = await fetchAndSanitize(path, entry, token)
+    }
+  }
+  await Promise.all(Array.from({ length: Math.min(PARALLELISM, allEntries.length) }, worker))
+  // De-dupe by stable id ("path/basename") so colliding basenames across
+  // folders don't corrupt React keys or storage. Stored value uses the
+  // namespaced id; the bare basename is kept as a label for the picker.
+  const seen = new Set<string>()
+  const icons: Result[] = []
+  for (const r of results) {
+    if (!r) continue
+    if (seen.has(r.id)) continue
+    seen.add(r.id)
+    icons.push(r)
+  }
+  return Response.json({
+    icons,
+    paths: yieldedPaths,
+    discovered,
+  })
+}
+async function fetchAndSanitize(
+  path: string,
+  entry: { name: string; download_url?: string | null },
+  token: string,
+): Promise<{ id: string; name: string; svg: string; source: string } | null> {
+  const baseName = entry.name.replace(/\.svg$/i, '')
+  const url = entry.download_url
+  if (!url) return null
+  // Token only goes to GitHub-controlled hosts. The Contents API can in
+  // principle return any download_url; refusing other hosts means a
+  // future API change can't quietly leak the token to third parties.
+  let parsed: URL
+  try {
+    parsed = new URL(url)
+  } catch {
+    return null
+  }
+  const host = parsed.hostname
+  const githubHost = host === 'raw.githubusercontent.com' || host.endsWith('.githubusercontent.com')
+  if (!githubHost) return null
+  try {
+    const res = await fetch(url, { headers: { Authorization: `Bearer ${token}` } })
+    if (!res.ok) return null
+    const raw = await res.text()
+    const svg = sanitizeSvg(raw)
+    if (!svg) return null
+    return { id: `${path}/${baseName}`, name: baseName, svg, source: path }
+  } catch {
+    return null
+  }
+}